Chrome Use Subject to Restrictions in Dutch Schools Over Data Security Concerns
The Dutch Ministry of Education has decided to impose some restrictions on the use of the Chrome OS and Chrome web browser until August 2023 over concerns about data privacy.
The officials worry that Google services collect student data and make it available to large advertising networks, who use it for purposes beyond helping education.
Since the national watchdog doesn’t know where or how the students’ personal data is stored and processed, there are concerns about violating European Union’s GDPR (General Data Protection Regulation).
Netherland’s Minister of Education and the Minister of Primary and Secondary Education have co-signed a letter to the Dutch parliament where they describe a range of cybersecurity and data protection matters.
The letter explains that conversations were held with Google, Microsoft, and Zoom, on the sensitive matter of data protection, and assurances were given to make future versions of software products more transparent and compatible with data protection regulations enforced across the EU space.
Also Read: 5 Best practices for protecting corporate data when an employee leaves
In the case of Google, the tech giant promised that new versions for the Chrome web browser and the Chrome OS would be ready by next year, so some usage restrictions apply until then, when the Dutch regulator will make a new assessment.
Educational institutes and schools that wish to continue using Google services in the meantime will have to perform additional actions as described in the SURF guidelines.
These actions include implementing specific Group Policies and disabling services like automatic website translation and spell checks that can leak user data away from Europe.
Also, the geographical location for data storage of the Google Cloud service must be set to Europe, and users need to be restricted from changing the setting.
Finally, ad personalization must be set to “off”, YouTube embedding must be used with ‘privacy-enhanced mode’, and the Google Search engine must be avoided altogether.
Other cases of data privacy concerns
Google’s services have raised multiple concerns across Europe, about data privacy and the opaque data collection practices behind them.
Also Read: The necessity of conducting penetration testing and vulnerability assessment
In January 2022, Austria’s data protection authority decided that using Google Analytics violates GDPR, because collecting website visitors’ data was done with the the users’ specific consent and transferred outside Europe.
The French data protection office (CNIL) followed suit with a similar decision in February 2022, and later warned Google that minor changes won’t reverse the decision.
This month, the Danish DPA imposed a ban on the use of Google Workspace and Chromebooks in one of the country’s municipalities, Elsinore, criticizing the uncontrolled data transfers to third countries.
Update July 23: A member of the Google Netherlands Communications team has informed BleepingComputer that Chrome and Chrome OS are not banned in the education sector of the country, and that schools may continue using them provided that they perform certain actions themselves to strengthen data security and ensure student privacy.
All education institutes in the Netherlands that wish to continue using Google services are expected to implement these additional data protection measures until Google updates its products as agreed, in 2023.
Note: The article body and title have been updated to clarify that the Dutch Ministry of Education did not ban Chrome OS and the Chrome browser for educational use.